Hancitor Word Document Installing CobaltStrike Hacking Tool in AD Environment Posted By Sanseo , May 21, 2021 Hancitor is a downloader malware distributed through spam mails, which has been steadily distributed since 2016. Recently, a type that installs CobaltStrike through additional payloads is being distributed, therefore, the users must take caution. The malware is distributed via attachment files or download links in spam mail and it usually targets Microsoft Office document files. The recently discovered type is a Word document file with a malicious VBA macro included. When the document is opened, the following image is displayed….
Malicious Word Document Impersonating U.S. Investment Bank (External Connection + VBA Macro) Posted By jcleebobgatenet , May 20, 2021 The ASEC analysis team is continually reporting malicious documents disguised as North Korea or public institution related materials that are being distributed. In this post, the team will introduce a malicious DOC (Word) document impersonating a U.S. investment bank. See [Figure 1] for more details. The .doc document operates in MAC OS environment and installs a backdoor on the user PC upon being infected. As shown in Figure 2, the malicious DOC (Word) document has an external . Upon opening…
ASEC Weekly Malware Statistics (May 3rd, 2021 – May 9th, 2021) Posted By jcleebobgatenet , May 18, 2021 The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 3rd, 2021 (Monday) to May 9th, 2021 (Sunday). For the main category, info-stealer ranked top with 72.7%, followed by RAT (Remote Administration Tool) malware with 16.0%, CoinMiner with 8.2%, Ransomware with 1.7%, and downloader with 1.3%. Top 1 – AgentTesla AgentTesla was ranked first place with 25.1%. It is an info-stealer malware…
Cobalt Strike Targeting Korean Companies Being Distributed (Part 2) Posted By jcleebobgatenet , May 17, 2021 The ASEC analysis team is monitoring attacks that utilize the Cobalt Strike hacking tool. In this article, the team will examine the latest Cobalt Strike attacks which were confirmed after the publishing of the past article that introduced the Cobalt Strike hacking tool. An attack confirmed on April 23 revealed that the Cobalt Strike beacon was run by the process that possesses the command line shown below. Cobalt Strike threat actors usually designate and run the normal process after giving…
Info-leaking Malware Distributed Through Google Keyword Search Posted By jcleebobgatenet , May 13, 2021 The ASEC analysis team has previously dealt with BeamWinHTTP malware being distributed through adware and PUP programs. When users install cracks and keygens by downloading the installers from the phishing page, various PUP programs and BeamWinHTTP malware are installed together. BeamWinHTTP additionally installs info-leaking malware (info-stealers). When users search with keywords like ‘program names,’ ‘cracks,’ and ‘keygens’ in a search engine like Google, they may come across websites with fake shortened URLs. In the example below, the short URL is…
